Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
<div align="center">
**ETSI EN 304-617 V0.0.6 (2025-11)**
</div>
HARMONISED EUROPEAN STANDARD
CYBER; CRA; <br />
Essential cybersecurity requirements for Browsers
<div style="text-align: center;">
Reference<br />
<Workitem><br />
Keywords<br />
<keywords><br />
ETSI<br />
650 Route des Lucioles<br />
F-06921 Sophia Antipolis Cedex - FRANCE<br />
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16<br />
Siret N° 348 623 562 00017 - APE 7112B<br />
Association à but non lucratif enregistrée à la<br />
Sous-préfecture de Grasse (06) N° w061004871<br />
</div>
**_Important notice_**
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI deliverable is the one made publicly available in PDF format on [ETSI deliver](ETSI deliver) repository.
Users should be aware that the present document may be revised or have its status changed, this information is available in the [Milestones listing](Milestones listing).
If you find errors in the present document, please send your comments to the relevant service listed under [Committee Support Staff](Committee Support Staff).
If you find a security vulnerability in the present document, please report it through our [Coordinated Vulnerability Disclosure (CVD)](Coordinated Vulnerability Disclosure (CVD)) program.
**_Notice of disclaimer & limitation of liability_**
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of experience to understand and interpret its content in accordance with generally accepted engineering or other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.
Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use of or inability to use the software.
<br />
**_Copyright Notification_**
No part may be reproduced or utilised in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorised by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media.
© ETSI 2025.
All rights reserved.<br />
</div>
# Contents
<!-- TOC_DOCX_PLACEHOLDER -->
## Table of Contents
- [Intellectual Property Rights](#intellectual-property-rights)
- [Foreword](#foreword)
- [Modal verbs terminology](#modal-verbs-terminology)
- [Executive summary](#executive-summary)
- [Introduction](#introduction)
- [1 Scope](#1-scope)
- [1.1 Browser ](#11browser-)
- [1.1.1 Standalone](#111standalone)
- [1.1.2 Embedded](#112-embedded)
- [1.1.3 Progressive Web Apps (PWA)](#113-progressive-web-apps-pwa)
- [1.1.4 Browser Extensions](#114-browser-extensions)
- [1.2 Derivative Browsers and Manufacturer Obligations](#12-derivative-browsers-and-manufacturer-obligations)
- [1.2.1 Open Source Browser Engines and Derivative Products](#121-open-source-browser-engines-and-derivative-products)
- [1.2.2 Spectrum of Derivative Modifications](#122-spectrum-of-derivative-modifications)
- [1.2.3 Manufacturer Responsibilities for Derivative Products](#123-manufacturer-responsibilities-for-derivative-products)
- [1.2.4 Trust in Upstream Security Implementations](#124-trust-in-upstream-security-implementations)
- [1.2.5 Application of This Standard to Derivative Browsers](#125-application-of-this-standard-to-derivative-browsers)
- [1.2.6 State of the Art: Industry Testing and Security Practices](#126-state-of-the-art-industry-testing-and-security-practices)
- [2 References](#2-references)
- [2.1 Normative references](#21-normative-references)
- [2.2 Informative references](#22-informative-references)
- [3 Definition of terms, symbols and abbreviations](#3-definition-of-terms-symbols-and-abbreviations)
- [3.1 Terms](#31-terms)
- [3.2 Symbols](#32-symbols)
- [4 Product Context](#4-product-context)
- [4.1 General](#41-general)
- [4.2 Out of scope use/environments](#42-out-of-scope-useenvironments)
- [4.3 In-Scope Components](#43-in-scope-components)
- [4.3.1 In-Scope components standalone browser](#431-in-scope-components-standalone-browser)
- [4.3.2 In-Scope components embedded browser](#432-in-scope-components-embedded-browser)
- [4.4 Use Cases](#44-use-cases)
- [4.4.1 Application to Conformity Assessment](#441-application-to-conformity-assessment)
- [4.4.2 Use Cases for Browsers](#442-use-cases-for-browsers)
- [4.5 Product overview and architecture](#45-product-overview-and-architecture)
- [4.5.1 Product Definition](#451-product-definition)
- [4.5.2 Architectural Overview](#452-architectural-overview)
- [4.5.2.1 Core Architecture Components](#4521-core-architecture-components)
- [4.5.2.2 Security Architecture](#4522-security-architecture)
- [4.5.2.3 Extension Architecture](#4523-extension-architecture)
- [4.5.3 Trust Boundaries and Threat Model](#453-trust-boundaries-and-threat-model)
- [4.5.3.1 Trust Zones](#4531-trust-zones)
- [4.5.3.2 Attack Surface](#4532-attack-surface)
- [4.5.4 Deployment Contexts](#454-deployment-contexts)
- [4.5.4.1 Consumer Environment](#4541-consumer-environment)
- [4.5.4.2 Enterprise Environment](#4542-enterprise-environment)
- [4.5.4.3 Specialized Environments](#4543-specialized-environments)
- [4.5.5 Security-Relevant Characteristics](#455-security-relevant-characteristics)
- [4.5.5.1 Dynamic Threat Landscape](#4551-dynamic-threat-landscape)
- [4.5.5.2 Compatibility Requirements](#4552-compatibility-requirements)
- [4.5.5.3 Performance Constraints](#4553-performance-constraints)
- [4.5.5.4 User Agency and Autonomy](#4554-user-agency-and-autonomy)
- [4.6 Essential functions](#46-essential-functions)
- [4.6.1 Core Essential Functions](#461-core-essential-functions)
- [4.6.2 Security-Related Essential Functions](#462-security-related-essential-functions)
- [4.6.3 Embedded Browser-Specific Security Functions](#463-embedded-browser-specific-security-functions)
- [4.6.4 Functions NOT Considered Essential](#464-functions-not-considered-essential)
- [4.7 Operational Environment](#47-operational-environment)
- [4.7.1 Technical Environment](#471-technical-environment)
- [4.7.2 Physical Environment](#472-physical-environment)
- [4.7.3 Organizational Environment](#473-organizational-environment)
- [4.7.4 Threat Environment](#474-threat-environment)
- [4.7.5 Lifecycle Environment](#475-lifecycle-environment)
- [4.8 Users](#48-users)
- [4.8.1 User Categories](#481-user-categories)
- [4.8.2 User Behavior Patterns](#482-user-behavior-patterns)
- [4.8.3 User Needs and Expectations](#483-user-needs-and-expectations)
- [4.8.4 User Assistance and Responsibilities](#484-user-assistance-and-responsibilities)
- [4.8.5 Accessibility Considerations](#485-accessibility-considerations)
- [5 Browser-Specific Risk Factors](#5-browser-specific-risk-factors)
- [5.1 Isolation Mechanisms](#51-isolation-mechanisms)
- [5.2 Extension System Security](#52-extension-system-security)
- [5.3 Encryption Implementation](#53-encryption-implementation)
- [5.4 Diagnostic and Monitoring Systems](#54-diagnostic-and-monitoring-systems)
- [5.5 Update Delivery Mechanisms](#55-update-delivery-mechanisms)
- [5.6 Protocol Handler Security](#56-protocol-handler-security)
- [5.7 Core Component Security](#57-core-component-security)
- [5.8 Embedded Browser Security](#58-embedded-browser-security)
- [5.8.1 Overview](#581-overview)
- [5.8.2 Host Application Boundary Security](#582-host-application-boundary-security)
- [5.8.3 Content Source Trust Management](#583-content-source-trust-management)
- [5.9 Remote Data Processing Systems](#59-remote-data-processing-systems)
- [6 Technical Security Assessments](#6-technical-security-assessments)
- [6.1 Domain and Origin Isolation Assessments](#61-domain-and-origin-isolation-assessments)
- [Assessment: DOM-REQ-1 (Process-per-site isolation)](#assessment-dom-req-1-process-per-site-isolation)
- [Assessment: DOM-REQ-2 (Cross-origin read blocking)](#assessment-dom-req-2-cross-origin-read-blocking)
- [Assessment: DOM-REQ-3 (Strict origin policy enforcement)](#assessment-dom-req-3-strict-origin-policy-enforcement)
- [Assessment: DOM-REQ-4 (CORS preflight enforcement)](#assessment-dom-req-4-cors-preflight-enforcement)
- [Assessment: DOM-REQ-5 (Cookie SameSite attribute enforcement)](#assessment-dom-req-5-cookie-samesite-attribute-enforcement)
- [Assessment: DOM-REQ-6 (Origin-bound storage isolation)](#assessment-dom-req-6-origin-bound-storage-isolation)
- [Assessment: DOM-REQ-7 (Frame sandboxing support)](#assessment-dom-req-7-frame-sandboxing-support)
- [Assessment: DOM-REQ-8 (Opaque origin handling)](#assessment-dom-req-8-opaque-origin-handling)
- [Assessment: DOM-REQ-9 (CORP for cross-origin isolation)](#assessment-dom-req-9-corp-for-cross-origin-isolation)
- [Assessment: DOM-REQ-10 (COOP enforcement)](#assessment-dom-req-10-coop-enforcement)
- [Assessment: DOM-REQ-11 (COEP enforcement)](#assessment-dom-req-11-coep-enforcement)
- [Assessment: DOM-REQ-12 (Document.domain deprecation)](#assessment-dom-req-12-documentdomain-deprecation)
- [Assessment: DOM-REQ-13 (Enterprise origin isolation policy configuration)](#assessment-dom-req-13-enterprise-origin-isolation-policy-configuration)
- [Assessment: DOM-REQ-14 (Logging of policy-based isolation exceptions)](#assessment-dom-req-14-logging-of-policy-based-isolation-exceptions)
- [Assessment: DOM-REQ-15 (Compatibility mode isolation integrity)](#assessment-dom-req-15-compatibility-mode-isolation-integrity)
- [Assessment: DOM-REQ-16 (Third-party integration isolation)](#assessment-dom-req-16-third-party-integration-isolation)
- [Assessment: DOM-REQ-17 (Documentation and logging of compatibility exceptions)](#assessment-dom-req-17-documentation-and-logging-of-compatibility-exceptions)
- [Assessment: DOM-REQ-18 (Embedded component storage isolation)](#assessment-dom-req-18-embedded-component-storage-isolation)
- [6.2 Extension System Security Assessments](#62-extension-system-security-assessments)
- [Assessment: EXT-REQ-1 (Permission model for extensions)](#assessment-ext-req-1-permission-model-for-extensions)
- [Assessment: EXT-REQ-2 (Content script isolation)](#assessment-ext-req-2-content-script-isolation)
- [Assessment: EXT-REQ-3 (Extension API access control)](#assessment-ext-req-3-extension-api-access-control)
- [Assessment: EXT-REQ-4 (Manifest validation)](#assessment-ext-req-4-manifest-validation)
- [Assessment: EXT-REQ-5 (Extension sandboxing)](#assessment-ext-req-5-extension-sandboxing)
- [Assessment: EXT-REQ-6 (Cross-extension isolation)](#assessment-ext-req-6-cross-extension-isolation)
- [Assessment: EXT-REQ-7 (Host permissions validation)](#assessment-ext-req-7-host-permissions-validation)
- [Assessment: EXT-REQ-8 (CSP for extensions)](#assessment-ext-req-8-csp-for-extensions)
- [Assessment: EXT-REQ-9 (WebRequest API security)](#assessment-ext-req-9-webrequest-api-security)
- [Assessment: EXT-REQ-10 (Extension update verification)](#assessment-ext-req-10-extension-update-verification)
- [Assessment: EXT-REQ-11 (Extension storage isolation)](#assessment-ext-req-11-extension-storage-isolation)
- [Assessment: EXT-REQ-12 (Background script restrictions)](#assessment-ext-req-12-background-script-restrictions)
- [Assessment: EXT-REQ-13 (Manifest V3 compliance)](#assessment-ext-req-13-manifest-v3-compliance)
- [Assessment: EXT-REQ-14 (Native messaging security)](#assessment-ext-req-14-native-messaging-security)
- [Assessment: EXT-REQ-15 (Extension-controlled web content)](#assessment-ext-req-15-extension-controlled-web-content)
- [Assessment: EXT-REQ-16 (Extension telemetry privacy)](#assessment-ext-req-16-extension-telemetry-privacy)
- [Assessment: EXT-REQ-17 (Extension signature validation)](#assessment-ext-req-17-extension-signature-validation)
- [Assessment: EXT-REQ-18 (Extension permissions UI transparency)](#assessment-ext-req-18-extension-permissions-ui-transparency)
- [Assessment: EXT-REQ-19 (No extension support enforcement)](#assessment-ext-req-19-no-extension-support-enforcement)
- [Assessment: EXT-REQ-20 (Extension code loading prevention)](#assessment-ext-req-20-extension-code-loading-prevention)
- [Assessment: EXT-REQ-21 (Extension subsystem removal)](#assessment-ext-req-21-extension-subsystem-removal)
- [Assessment: EXT-REQ-22 (Official extension store restriction)](#assessment-ext-req-22-official-extension-store-restriction)
- [Assessment: EXT-REQ-23 (Extension security review requirement)](#assessment-ext-req-23-extension-security-review-requirement)
- [Assessment: EXT-REQ-24 (Developer mode activation security)](#assessment-ext-req-24-developer-mode-activation-security)
- [Assessment: EXT-REQ-25 (Developer mode visual indicators)](#assessment-ext-req-25-developer-mode-visual-indicators)
- [Assessment: EXT-REQ-26 (Developer mode update disablement)](#assessment-ext-req-26-developer-mode-update-disablement)
- [Assessment: EXT-REQ-27 (Developer mode activity logging)](#assessment-ext-req-27-developer-mode-activity-logging)
- [Assessment: EXT-REQ-28 (Enterprise developer mode control)](#assessment-ext-req-28-enterprise-developer-mode-control)
- [Assessment: EXT-REQ-29 (Sideloaded extension warnings)](#assessment-ext-req-29-sideloaded-extension-warnings)
Loading
Loading full blame…